Navigating Complex Contracts: Leveraging Cloud Computing Arrangements "Indirectly" via Third-Party Service Providers

Third-party cloud computing arrangements are an integral (and now standard) element of successful business strategies and operations for large enterprises, particularly those that handle large amounts of data. The benefits of these arrangements are well known, and include cost savings, scalability, flexibility, real-time access to data, better security and improved business agility.

As cloud computing continues to proliferate in scope and complexity, how companies are contracting for the purchase of cloud solutions continues to evolve. In addition to obtaining cloud services and capacity directly from cloud service providers (CSPs), enterprises are also leveraging the cloud "indirectly" through the solutions provided by their third-party service providers (TPSPs). TPSPs can come in many forms, ranging from providers of outsourced services to spot solution providers. This article aims to assist buyers in contracting for cloud functions through TPSPs.

Background on Cloud Services and Contracting Approaches

Cloud solutions come in many different forms, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), Anything as a Service (XaaS), and Artificial Intelligence as a Service (AIaaS). These solutions can be architected and delivered through various deployment models, including private, community, public, and hybrid cloud arrangements.

In a typical cloud computing arrangement, a buyer does not take ownership or possession of (or responsibility for) the underlying software, platform, or hardware comprising the solution. Instead, the buyer accesses and uses the solution on a "subscription" basis through the internet. This subscription is typically memorialised contractually, with a buyer entering into an agreement directly with the CSP for delivery of the relevant services.

Another common approach involves the buyer accessing cloud services indirectly through an arrangement with a TPSP. This approach is where the TPSP delivers the buyer specific products or services that leverage the TPSP's own arrangement with a CSP. In this approach, the TPSP has a contract in place with the CSP, which often includes "flow down" terms that the CSP requires the TPSP to include in the TPSP's contracts with its customers.

The Challenge from the Buyer's Perspective

The complexity of contracting with TPSPs that leverage CSPs primarily stems from the layered nature of these arrangements. Where multiple parties are involved, each has its own contractual obligations and interests. The buyer often finds itself at the end of a contractual chain and subject to CSP-imposed terms even though the buyer is negotiating and has contractual privity with only the TPSP. Because the CSP's flow-down terms are typically non-negotiable and heavily favour the CSP, the buyer has limited leverage to address its specific needs or concerns. (This is the case even if the buyer has leverage in its negotiations with the TPSP.)

This limited leverage vis-à-vis the CSP can result in a lack of clarity regarding accountability, especially in areas such as service performance, data security, and liability. The buyer might also face challenges in enforcing its rights, as the TPSP often disclaims responsibility for the CSP's obligations. This scenario creates a potential gap in recourse if issues arise. Consequently, buyers must navigate these complexities during the negotiation and contracting process carefully to ensure their interests are adequately protected within a contractual framework that, on the one hand, is between two contracting parties but that, on the other hand, sets out rights and obligations among three parties.

Key Flow-Down Terms Risks and Negotiating Strategies for Buyers

CSP flow-down terms incorporated in TPSP-buyer contractual arrangements typically present the following risks to the buyer:

• lack of accountability on the part of the TPSP for the CSP's performance;
• limited liability for security incidents involving the buyer's data; and
• lack of monitoring and oversight of the CSP. Each of these risks is examined below. 

The TPSP's lack of accountability for the CSP's performance

As a baseline, the CSP's flow-down terms should accurately reflect the CSP's key obligations. The buyer may be surprised that the first draft of the terms it receives does not reflect the basic deal it negotiated or might contain inadequate specificity about the purchased solution's features and functions.

In particular, the buyer should ensure that the CSP commits to comply with specific service level commitments and to perform according to acceptable baseline standards, including for maintenance and support. It is important to confirm that the CSP is financially and technically stable. Applicable disaster recovery procedures and requirements should also be in place.

The buyer should consider these risks of non-availability and non-stability of the cloud-based solution from several perspectives, including technical and operational (contingency planning), customer relations (how the buyer's customers would be made whole), regulatory (what a regulator would expect) and liability (which party would bear the risk under various scenarios). The terms should permit the buyer to revisit contractual arrangements if the relationship with the TPSP or the CSP changes. Notably, the buyer should not become subject to any new or updated requirements (including on a flow-down basis from the CSP through the TPSP), unless and until the buyer agrees to them in writing.

Limited liability for security incidents Iinvolving the buyer's data

Data privacy and security contractual commitments and related processes are arguably the most sensitive aspects of these types of arrangements.  This is because a security incident can result in business interruption and critical damage to customer relationships and the buyer's reputation.

Definition of "buyer's data"

As a baseline, the buyer should articulate what data it would like to include in the scope of the contract, and what the TPSP and the CSP may do or not do with that data. Analysis of ownership and use rights to data generated and/or exchanged during the buyer-TPSP-CSP relationship that requires several technical, strategic, and legal considerations, including an articulation of the buyer's desired use rights and desired or necessary restrictions on the counterparties' use of generated and uploaded data. The buyer should carefully consider all data that is stored, transmitted, or otherwise processed through the cloud, including data generated within the cloud, such as the output created by the CSP's tools and analytics. This exercise and the resulting negotiations can be quite involved and the outcome often has a direct impact on the buyer's business prospects and viability.

The CSP's commitments relating to the buyer's data

The CSP will typically make some type of commitment to comply with applicable laws (more on this below) and maintain adequate security and privacy practices and controls relating to the buyer's data. These commitments can vary by type of data. If data is stored in, or moves between, different countries, it is important for the buyer to consider applicable jurisdictional and cross-border requirements (especially those laws that have an extraterritorial impact like the EU's and UK's General Data Protection Regulation and those that require strict localisation of data like Vietnam's Cybersecurity Law and Decree No 53).

The CSP usually has its own standard privacy and data security approaches, including what happens in case of a security incident, as well as standard protocols and compliance certifications. Depending on its success in the contractual negotiation, the buyer may need to co-ordinate an internal risk assessment and a risk acceptance of these "norms" if they are less than ideal from the buyer's perspective. In its negotiations with the TPSP, the buyer may seek to allocate (as between the buyer and the TPSP) as much responsibility as possible to the TPSP (eg, requirements to enforce agreed to standards and requirements with the CSP). In these discussions, the buyer should keep in mind that what the CSP says it will do in the flow-down terms might actually be less than what it actually does in practice, so the buyer should press the TPSP to get the "behind the curtain" information from the CSP.

It is also important to connect the mechanics of when and how a security incident will be reported with the buyer's incident response protocols. As mentioned above, the CSP will rarely be flexible on the timing and format for reporting of incidents. Therefore, in addition to allocating the TPSP the responsibility of ensuring that the communication of an incident makes it to the buyer, the buyer should also consider adding an obligation for the TPSP to inform the buyer of any and all subsequent information provided by the CSP (eg, through calls held by CSPs after a widespread incident).

Risk allocation considerations

Broadly, the buyer should consider the appropriate allocation of risk among the TPSP, the CSP, and the buyer. This requires careful articulation of the parties' relative roles and responsibilities as well as the interdependency or interconnectivity of roles. What can go wrong, when, who would be impacted and how, and who is responsible? Liability under these circumstances often entails damages that are difficult to predict or measure, such as lost profits or revenue, or harm to reputation and brand.

Flow-down terms usually limit the CSP's liability and leave the buyer's liability unlimited. The CSP should indemnify the buyer for third party claims that arise from data breaches involving the buyer's data and these indemnities can be subject to a reasonable cap. Some CSPs will limit application of this indemnity to data breaches that result from the CSP's failure to meet the privacy and data security obligations in the contract. The buyer should seek to cover any such gaps in its agreement with the TPSP. The CSP should also be responsible for items such as fraud monitoring, assistance with notices, responses to regulatory inquiries, etc. The buyer should ensure that its liability obligations are reasonable and appropriately limited. As mentioned above, it is helpful to consider whether the buyer can counter-balance some of the risks of the CSP's terms with what it negotiates with the TPSP directly. 

Other related tools

Other tools to help manage risk allocation and liability considerations include the following:

• Termination rights. The terms should contain standard termination rights (eg, for material breach), and the buyer may also consider a termination for convenience in certain scenarios. If a buyer termination for convenience right is not possible, the buyer should consider a shorter initial term with renewal (and hence non-renewal) rights. In addition, the buyer should consider whether the CSP's termination rights are fair and acceptable and what transition assistance requirements may be helpful.
• Insurance. The buyer's cyber and other insurance policies should be adequate to address key risks, such as a major data breach in the CSP's environment. In parallel, the buyer may require the TPSP and the CSP to obtain and maintain certain insurance coverage, including commercial general liability, network/cyber liability, professional liability and errors and omissions, with the buyer potentially added as an additional insured.

Lack of monitoring and oversight for the CSP

The flow-down terms should commit the CSP to comply with laws--those applicable to it, and in case of a regulated buyer, those applicable to the buyer's service providers, such as PCI DSS or another industry standard. In addition, the buyer should require the TPSP to comply with any applicable requirements for regular monitoring and oversight, including pursuant to the buyer's policies and procedures and especially if the buyer is a regulated entity. These can include, for example, regulatory and commercial audit obligations. At the same time, the buyer should be mindful that it can operationally follow through and conduct any necessary audits that it insists on including in the terms. Although it is unlikely that the CSP will permit any type of audit that allows access to its facilities, audit rights can work around this in a variety of ways. For example, this can be done through a right to audit books and records and an obligation for the CSP to provide reports on its own ordinary course audits (eg, SOC2 reports).

Key Forward-Looking Strategies for Buyers

In conclusion, when entering or maintaining arrangements with CSPs through TPSPs, buyers are advised to craft contracts that adequately reflect the business arrangement, are practical and address key allocation of risk. Specifically, it is important for the buyer to:

• ensure that the CSP can meet service availability and performance standards as well as disaster recovery requirements;
• reflect compliance with applicable security and privacy laws, and processes and controls appropriate for specific data processing;
• incorporate relevant and practical compliance and audit requirements; and
• reflect an appropriate risk allocation and liability approach via contractual tools as well as insurance obligations.